Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/ssh: add fipsonly mode #64769

Open
drakkan opened this issue Dec 16, 2023 · 3 comments
Open

x/crypto/ssh: add fipsonly mode #64769

drakkan opened this issue Dec 16, 2023 · 3 comments
Labels
Proposal Proposal-Accepted
Milestone
Backlog

Comments

@drakkan
Copy link
Member

drakkan commented Dec 16, 2023

Proposal Details

Similar to crypto/tls/fipsonly add golang.org/x/crypto/ssh/fipsonly

//go:build boringcrypto

// Package fipsonly restricts all SSH configuration to FIPS-approved settings.
//
// The effect is triggered by importing the package anywhere in a program, as in:
//
//	import _ "golang.org/x/crypto/ssh/fipsonly"
//
// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto.
@gopherbot gopherbot added this to the Proposal milestone Dec 16, 2023
@gopherbot
Copy link

Change https://go.dev/cl/550515 mentions this issue: ssh: add fipsonly mode

@rsc
Copy link
Contributor

rsc commented Jan 10, 2024

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

reedloden added a commit to gravitational/teleport that referenced this issue Jan 14, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
f4fb319 
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
@reedloden reedloden mentioned this issue Jan 14, 2024
Merged
reedloden added a commit to gravitational/teleport that referenced this issue Jan 14, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
de861cf 
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
reedloden added a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
ba79fd5 
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
reedloden added a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
7e85674 
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-merge-queue bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
d145487 
…hanges (#36685)

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-actions bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
40497d4 
…hanges

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
github-merge-queue bot pushed a commit to gravitational/teleport that referenced this issue Jan 15, 2024
@reedloden
Update FIPS algorithms inline with upstream x/crypto/ssh proposed c…
9e365c2 
…hanges (#36709)

`x/crypto/ssh` is adding a `fipsonly` mode (similar to `crypto/tls/fipsonly`) in
golang/go#64769. Once this has landed and been released, we'll swap to using it.
In the meantime, update our hardcoded algorithm set to match the algorithms listed
in https://go-review.googlesource.com/c/crypto/+/550515.

The only difference is that `aes192-ctr` is kept in `FIPSCiphers`, as it seems to be
approved by NIST SP 800-131A rev 2 (page 17).

Additionally, we now define a list of approved public key authentication algorithms for
SSH server connections. This isn't configurable for normal use case (yet), only handled
for FIPS builds.
@rsc
Copy link
Contributor

rsc commented Jan 19, 2024

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

Proposal is to add a new x/crypto/ssh/fipsonly package that is _ imported for the side effect of changing SSH configuration to FIPS-approved settings. The package only exists with GOEXPERIMENT=boringcrypto.

@rsc rsc changed the title proposal: x/crypto/ssh: add fipsonly mode x/crypto/ssh: add fipsonly mode Jan 19, 2024
@rsc rsc modified the milestones: Proposal, Backlog Jan 19, 2024
@kmoe kmoe mentioned this issue Feb 23, 2024
Closed
drakkan added a commit to drakkan/crypto that referenced this issue Feb 24, 2024
@drakkan
ssh: add fipsonly mode
e21c8ca 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Mar 7, 2024
@drakkan
ssh: add fipsonly mode
e2ff965 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
drakkan added a commit to drakkan/crypto that referenced this issue Apr 9, 2024
@drakkan
ssh: add fipsonly mode
0e61cc6 
Fixes golang/go#64769

Change-Id: I4132438bc5586215661c2c1872b5a6c7464badf4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Proposal Proposal-Accepted
Projects
Proposals
Status: Accepted
Milestone
Backlog
Development

No branches or pull requests
3 participants
@rsc @drakkan @gopherbot